Skip to content
Permalink
Browse files
Fixed Directory Traversal while fetching Nuclei templates, reported by
…@K0enM on huntr!
  • Loading branch information
yogeshojha committed Sep 1, 2021
1 parent 8e54661 commit 171fabc2f5a74197ef371e8e06f4b447a3bcad87
Showing with 30 additions and 8 deletions.
  1. +20 −8 web/api/views.py
  2. +10 −0 web/reNgine/common_func.py
@@ -18,6 +18,8 @@
from targetApp.models import *
from recon_note.models import *

from reNgine.common_func import is_safe_path

class VulnerabilityReport(APIView):
def get(self, request):
req = self.request
@@ -30,29 +32,39 @@ def get(self, request, format=None):
name = req.query_params.get('name')

if 'nuclei_config' in req.query_params:
f = open("/root/.config/nuclei/config.yaml".format(name), "r")
f = open("/root/.config/nuclei/config.yaml", "r")
return Response({'content': f.read()})

if 'subfinder_config' in req.query_params:
f = open("/root/.config/subfinder/config.yaml".format(name), "r")
f = open("/root/.config/subfinder/config.yaml", "r")
return Response({'content': f.read()})

if 'naabu_config' in req.query_params:
f = open("/root/.config/naabu/naabu.conf".format(name), "r")
f = open("/root/.config/naabu/naabu.conf", "r")
return Response({'content': f.read()})

if 'amass_config' in req.query_params:
f = open("/root/.config/amass.ini".format(name), "r")
f = open("/root/.config/amass.ini", "r")
return Response({'content': f.read()})

if 'gf_pattern' in req.query_params:
f = open("/root/.gf/{}.json".format(name), "r")
return Response({'content': f.read()})
basedir = '/root/.gf'
path = '/root/.gf/{}.json'.format(name)
if is_safe_path(basedir, path):
content = open(path, "r")
else:
content = "Invalid path!"
return Response({'content': content})


if 'nuclei_template' in req.query_params:
f = open("/root/nuclei-templates/{}".format(name), "r")
return Response({'content': f.read()})
safe_dir = '/root/nuclei-templates'
path = '/root/nuclei-templates/{}'.format(name)
if is_safe_path(safe_dir, path):
content = open(path.format(name), "r")
else:
content = 'Invalid Path!'
return Response({'content': content})

return Response({'content': "ping-pong"})

@@ -282,3 +282,13 @@ def send_hackerone_report(vulnerability_id):
status_code = 111

return status_code


def is_safe_path(basedir, path, follow_symlinks=True):
# Source: https://security.openstack.org/guidelines/dg_using-file-paths.html
# resolves symbolic links
if follow_symlinks:
matchpath = os.path.realpath(path)
else:
matchpath = os.path.abspath(path)
return basedir == os.path.commonpath((basedir, matchpath))

0 comments on commit 171fabc

Please sign in to comment.